Announcement

Active Directory Time-bound Group Membership in Windows Server 2016

Active Directory Expiring Links is new feature in Windows Server 2016 which enables time-bound group membership, expressed by a time-to-live (TTL) value. It allows administrators to assign temporally group membership. This feature is not enabled by default because it required forest function level must be Windows Server 2016. Also, once this feature is enabled, it cannot be disabled.

This article will guide you through the steps to enable active directory time-bound group membership in Windows Server 2016.

Open up PowerShell and execute the following command to enable time-bound feature in active directory.

Now, I have a user called Jhon which I need to assign Domain Admin group membership for 20 minutes

List the current member of domain admin group by executing the following command

Get-ADGroupMember “Domain Admins”Next step is to add the Jhon to the domain admin group for 20 minutes.Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘jhon’ -MemberTimeToLive (New-TimeSpan -Minutes 20)Verify the TTL group membership for user Jhon with the following commandGet-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive The group membership will automatically be expired after 20 minutes.